// $Id: CHANGELOG.txt,v 1.173.2.35 2009/01/14 23:32:14 drumm Exp $ Drupal 5.15, 2009-01-14 ----------------------- - Fixed security issues, (Hardening against SQL injection), see SA-CORE-2009-001 - Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and basic shell scripts. - Fixed a variety of small bugs. Drupal 5.14, 2008-12-11 ----------------------- - removed a previous change incompatible with PHP 5.1.x and lower. Drupal 5.13, 2008-12-10 ----------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site request forgery and Cross site scripting), see SA-2008-073 - updated robots.txt and .htaccess to match current file use. Drupal 5.12, 2008-10-22 ----------------------- - fixed security issues, (File inclusion), see SA-2008-067 Drupal 5.11, 2008-10-08 ----------------------- - fixed a variety of small bugs. - fixed security issues, (File upload access bypass, Access rules bypass, BlogAPI access bypass, Node validation bypass), see SA-2008-060 Drupal 5.10, 2008-08-13 ----------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site scripting, Arbitrary file uploads via BlogAPI and Cross site request forgery), see SA-2008-047 Drupal 5.9, 2008-07-23 ---------------------- - fixed a variety of small bugs. - fixed security issues, (Session fixation), see SA-2008-046 Drupal 5.8, 2008-07-09 ---------------------- - fixed a variety of small bugs. - fixed security issues, (Cross site scripting, cross site request forgery, and session fixation), see SA-2008-044 Drupal 5.7, 2008-01-28 ---------------------- - fixed the input format configuration page. - fixed a variety of small bugs. Drupal 5.6, 2008-01-10 ---------------------- - fixed a variety of small bugs. - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 5.5, 2007-12-06 ---------------------- - fixed missing missing brackets in a query in the user module. - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 5.4, 2007-12-05 ---------------------- - fixed a variety of small bugs. - fixed a security issue (SQL injection), see SA-2007-031 Drupal 5.3, 2007-10-17 ---------------------- - fixed a variety of small bugs. - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Arbitrary code execution via installer), see SA-2007-025 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (User deletion cross site request forgery), see SA-2007-029 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 5.2, 2007-07-26 ---------------------- - changed hook_link() $teaser argument to match documentation. - fixed a variety of small bugs. - fixed a security issue (cross-site request forgery), see SA-2007-017 - fixed a security issue (cross-site scripting), see SA-2007-018 Drupal 5.1, 2007-01-29 ---------------------- - fixed security issue (code execution), see SA-2007-005 - fixed a variety of small bugs. Drupal 5.0, 2007-01-15 ------------------------ - completely retooled the administration page * /admin now contains an administration page which may be themed * reorganised administration menu items by task and by module * added a status report page with detailed PHP/MySQL/Drupal information - added web-based installer which can: * check installation and run-time requirements * automatically generate the database configuration file * install pre-made 'install profiles' or distributions * import the database structure with automatic table prefixing * be localized - added new default Garland theme - added color module to change some themes' color schemes - included the jQuery JavaScript library 1.0.4 and converted all core JavaScript to use it - introduced the ability to alter mail sent from system - module system: * added .info files for module meta-data * added support for module dependencies * improved module installation screen * moved core modules to their own directories * added support for module uninstalling - added support for different cache backends - added support for a generic "sites/all" directory. - usability: * added support for auto-complete forms (AJAX) to user profiles. * made it possible to instantly assign roles to newly created user accounts. * improved configurability of the contact forms. * reorganized the settings pages. * made it easy to investigate popular search terms. * added a 'select all' checkbox and a range select feature to administration tables. * simplified the 'break' tag to split teasers from body. * use proper capitalization for titles, menu items and operations. - integrated urlfilter.module into filter.module - block system: * extended the block visibility settings with a role specific setting. * made it possible to customize all block titles. - poll module: * optionally allow people to inspect all votes. * optionally allow people to cancel their vote. - distributed authentication: * added default server option. - added default robots.txt to control crawlers. - database API: * added db_table_exists(). - blogapi module: * 'blogapi new' and 'blogapi edit' nodeapi operations. - user module: * added hook_profile_alter(). * e-mail verification is made optional. * added mass editing and filtering on admin/user/user. - PHP Template engine: * add the ability to look for a series of suggested templates. * look for page templates based upon the path. * look for block templates based upon the region, module, and delta. - content system: * made it easier for node access modules to work well with each other. * added configurable content types. * changed node rendering to work with structured arrays. - performance: * improved session handling: reduces database overhead. * improved access checking: reduces database overhead. * made it possible to do memcached based session management. * omit sidebars when serving a '404 - Page not found': saves CPU cycles and bandwidth. * added an 'aggressive' caching policy. * added a CSS aggregator and compressor (up to 40% faster page loads). - removed the archive module. - upgrade system: * created space for update branches. - forms API: * made it possible to programmatically submit forms. * improved api for multistep forms. - theme system: * split up and removed drupal.css. * added nested lists generation. * added a self-clearing block class. Drupal 4.7.11, 2008-01-10 ------------------------- - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 4.7.10, 2007-12-06 ------------------------- - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 4.7.9, 2007-12-05 ------------------------ - fixed a security issue (SQL injection), see SA-2007-031 Drupal 4.7.8, 2007-10-17 ------------------------ - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 4.7.7, 2007-07-26 ------------------------ - fixed security issue (XSS), see SA-2007-018 Drupal 4.7.6, 2007-01-29 ------------------------ - fixed security issue (code execution), see SA-2007-005 Drupal 4.7.5, 2007-01-05 ------------------------ - fixed security issue (XSS), see SA-2007-001 - fixed security issue (DoS), see SA-2007-002 Drupal 4.7.4, 2006-10-18 ------------------------ - fixed security issue (XSS), see SA-2006-024 - fixed security issue (CSRF), see SA-2006-025 - fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.7.3, 2006-08-02 ------------------------ - fixed security issue (XSS), see SA-2006-011 Drupal 4.7.2, 2006-06-01 ------------------------ - fixed critical upload issue, see SA-2006-007 - fixed taxonomy XSS issue, see SA-2006-008 - fixed a variety of small bugs. Drupal 4.7.1, 2006-05-24 ------------------------ - fixed critical SQL issue, see SA-2006-005 - fixed a serious upgrade related bug. - fixed a variety of small bugs. Drupal 4.7.0, 2006-05-01 ------------------------ - added free tagging support. - added a site-wide contact form. - theme system: * added the PHPTemplate theme engine and removed the Xtemplate engine. * converted the bluemarine theme from XTemplate to PHPTemplate. * converted the pushbutton theme from XTemplate to PHPTemplate. - usability: * reworked the 'request new password' functionality. * reworked the node and comment edit forms. * made it easy to add nodes to the navigation menu. * added site 'offline for maintenance' feature. * added support for auto-complete forms (AJAX). * added support for collapsible page sections (JS). * added support for resizable text fields (JS). * improved file upload functionality (AJAX). * reorganized some settings pages. * added friendly database error screens. * improved styling of update.php. - refactored the forms API. * made it possible to alter, extend or theme forms. - comment system: * added support for "mass comment operations" to ease repetitive tasks. * comment moderation has been removed. - node system: * reworked the revision functionality. * removed the bookmarklet code. Third-party modules can now handle this. - upgrade system: * allows contributed modules to plug into the upgrade system. - profiles: * added a block to display author information along with posts. * added support for private profile fields. - statistics module: * added the ability to track page generation times. * made it possible to block certain IPs/hostnames. - block system: * added support for theme-specific block regions. - syndication: * made the aggregator module parse Atom feeds. * made the aggregator generate RSS feeds. * added RSS feed settings. - XML-RPC: * replaced the XML-RPC library by a better one. - performance: * added 'loose caching' option for high-traffic sites. * improved performance of path aliasing. * added the ability to track page generation times. - internationalization: * improved Unicode string handling API. * added support for PHP's multibyte string module. - added support for PHP5's 'mysqli' extension. - search module: * made indexer smarter and more robust. * added advanced search operators (e.g. phrase, node type, ...). * added customizable result ranking. - PostgreSQL support: * removed dependency on PL/pgSQL procedural language. - menu system: * added support for external URLs. - queue module: * removed from core. - HTTP handling: * added support for a tolerant Base URL. * output URIs relative to the root, without a base tag. Drupal 4.6.11, 2007-01-05 ------------------------- - fixed security issue (XSS), see SA-2007-001 - fixed security issue (DoS), see SA-2007-002 Drupal 4.6.10, 2006-10-18 ------------------------ - fixed security issue (XSS), see SA-2006-024 - fixed security issue (CSRF), see SA-2006-025 - fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.6.9, 2006-08-02 ------------------------ - fixed security issue (XSS), see SA-2006-011 Drupal 4.6.8, 2006-06-01 ------------------------ - fixed critical upload issue, see SA-2006-007 - fixed taxonomy XSS issue, see SA-2006-008 Drupal 4.6.7, 2006-05-24 ------------------------ - fixed critical SQL issue, see SA-2006-005 Drupal 4.6.6, 2006-03-13 ------------------------ - fixed bugs, including 4 security vulnerabilities. Drupal 4.6.5, 2005-12-12 ------------------------ - fixed bugs: no critical bugs were identified. Drupal 4.6.4, 2005-11-30 ------------------------ - fixed bugs, including 3 security vulnerabilities. Drupal 4.6.3, 2005-08-15 ------------------------ - fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.6.2, 2005-06-29 ------------------------ - fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.6.1, 2005-06-01 ------------------------ - fixed bugs, including a critical input validation bug. Drupal 4.6.0, 2005-04-15 ------------------------ - PHP5 compliance - search: * added UTF-8 support to make it work with all languages. * improved search indexing algorithm. * improved search output. * impose a throttle on indexing of large sites. * added search block. - syndication: * made the ping module ping pingomatic.com which, in turn, will ping all the major ping services. * made Drupal generate RSS 2.0 feeds. * made RSS feeds extensible. * added categories to RSS feeds. * added enclosures to RSS feeds. - flood control mechanism: * added a mechanism to throttle certain operations. - usability: * refactored the block configuration pages. * refactored the statistics pages. * refactored the watchdog pages. * refactored the throttle module configuration. * refactored the access rules page. * refactored the content administration page. * introduced forum configuration pages. * added a 'add child page' link to book pages. - contact module: * added a simple contact module that allows users to contact each other using e-mail. - multi-site configuration: * made it possible to run multiple sites from a single code base. - added an image API: enables better image handling. - block system: * extended the block visibility settings. - theme system: * added new theme functions. - database backend: * the PEAR database backend is no longer supported. - performance: * improved performance of the forum topics block. * improved performance of the tracker module. * improved performance of the node pages. - documentation: * improved and extended PHPDoc/Doxygen comments. Drupal 4.5.8, 2006-03-13 ------------------------ - fixed bugs, including 3 security vulnerabilities. Drupal 4.5.7, 2005-12-12 ------------------------ - fixed bugs: no critical bugs were identified. Drupal 4.5.6, 2005-11-30 ------------------------ - fixed bugs, including 3 security vulnerabilities. Drupal 4.5.5, 2005-08-15 ------------------------ - fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.5.4, 2005-06-29 ------------------------ - fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.5.3, 2005-06-01 ------------------------ - fixed bugs, including a critical input validation bug. Drupal 4.5.2, 2005-01-15 ------------------------ - fixed bugs: a cross-site scripting (XSS) vulnerability has been fixed. Drupal 4.5.1, 2004-12-01 ------------------------ - fixed bugs: no critical bugs were identified. Drupal 4.5.0, 2004-10-18 ------------------------ - navigation: * made it possible to add, delete, rename and move menu items. * introduced tabs and subtabs for local tasks. * reorganized the navigation menus. - user management: * added support for multiple roles per user. * made it possible to add custom profile fields. * made it possible to browse user profiles by field. - node system: * added support for node-level permissions. - comment module: * made it possible to leave contact information without having to register. - upload module: * added support for uploading documents (includes images). - forum module: * added support for sticky forum topics. * made it possible to track forum topics. - syndication: * added support for RSS ping-notifications of http://technorati.com/. * refactored the categorization of syndicated news items. * added an URL alias for 'rss.xml'. * improved date parsing. - database backend: * added support for multiple database connections. * the PostgreSQL backend does no longer require PEAR. - theme system: * changed all GIFs to PNGs. * reorganised the handling of themes, template engines, templates and styles. * unified and extended the available theme settings. * added theme screenshots. - blocks: * added 'recent comments' block. * added 'categories' block. - blogger API: * added support for auto-discovery of blogger API via RSD. - performance: * added support for sending gzip compressed pages. * improved performance of the forum module. - accessibility: * improved the accessibility of the archive module's calendar. * improved form handling and error reporting. * added HTTP redirects to prevent submitting twice when refreshing right after a form submission. - refactored 403 (forbidden) handling and added support for custom 403 pages. - documentation: * added PHPDoc/Doxygen comments. - filter system: * added support for using multiple input formats on the site * expanded the embedded PHP-code feature so it can be used everywhere * added support for role-dependant filtering, through input formats - UI translation: * managing translations is now completely done through the administration interface * added support for importing/exporting gettext .po files Drupal 4.4.3, 2005-06-01 ------------------------ - fixed bugs, including a critical input validation bug. Drupal 4.4.2, 2004-07-04 ------------------------ - fixed bugs: no critical bugs were identified. Drupal 4.4.1, 2004-05-01 ------------------------ - fixed bugs: no critical bugs were identified. Drupal 4.4.0, 2004-04-01 ------------------------ - added support for the MetaWeblog API and MovableType extensions. - added a file API: enables better document management. - improved the watchdog and search module to log search keys. - news aggregator: * added support for conditional GET. * added OPML feed subscription list. * added support for , , , , and . - comment module: * made it possible to disable the "comment viewing controls". - performance: * improved module loading when serving cached pages. * made it possible to automatically disable modules when under heavy load. * made it possible to automatically disable blocks when under heavy load. * improved performance and memory footprint of the locale module. - theme system: * made all theme functions start with 'theme_'. * made all theme functions return their output. * migrated away from using the BaseTheme class. * added many new theme functions and refactored existing theme functions. * added avatar support to 'Xtemplate'. * replaced theme 'UnConeD' by 'Chameleon'. * replaced theme 'Marvin' by 'Pushbutton'. - usability: * added breadcrumb navigation to all pages. * made it possible to add context-sensitive help to all pages. * replaced drop-down menus by radio buttons where appropriate. * removed the 'magic_quotes_gpc = 0' requirement. * added a 'book navigation' block. - accessibility: * made themes degrade gracefully in absence of CSS. * grouped form elements using '
' and '' tags. * added '